Features

Active Directory Management

Active Directory plays a major role in many critical processes within organizations. Effective and
secure Active Directory management becomes increasingly important and at the same
time increasingly challenging, especially in large and complex environments. Native tools for
Active Directory management are inefficient as they provide only basic functionality and cannot be
used for Active Directory automation,
web-based administration,
role-based security, cross-domain management,
audit of changes, etc. It becomes obvious that a higher-level solution like Adaxes is needed to
cope with all challenges associated with Active Directory management. Softerra Adaxes provides a
number of much-needed features that make Active Directory management, maintenance and
administration much more simple, secure and effective.

Adaxes includes two powerful tools for Active Directory management: Adaxes Administration Console
and Adaxes Active Directory Web Interface.
Adaxes Administration Console is a desktop application that provides a GUI interface designed for
the use by Active Directory administrators. While at first glance it looks pretty similar to
Active Directory Users and Computers (ADUC), there are a number of significant differences. Apart
from the functionality provided by ADUC, Adaxes Administration Console offers you plenty of great
features aimed at facilitating the everyday Active Directory management, including:

Active Directory User Management

One of the main goals of Softerra Adaxes is to make Active Directory user management simple and
efficient. Adaxes allows you to update thousands of Active Directory users in one operation using
modification templates. For example, you can change the Display Name property of multiple users
using a template like '%lastname%, %firstname%'.
Also, Adaxes enables you to assign default property values, specify a range of allowed values, and
make certain user properties required. For example, you can assign default value '90210' to
the Zip/Postal Code property and make this property mandatory, specify that the Department property
can contain only 'Sales', 'HR', and 'IT' values, automatically generate the
Web Page property for new AD users using a template like 'http://example.com/%department%/%username%'.

Also, Adaxes aids in avoiding routine and repetitive Active Directory management tasks by giving the ability to automate user provisioning, management, and deprovisioning. For example, after a new user is created, Adaxes can automatically create an Exchange mailbox and home folder for the user, add the user to certain AD groups, enable the user for Lync, send a welcome email, etc. When the Department property of the user is changed, Adaxes will automatically update the group membership of the user, move the user to the OU associated with the new department, update necessary properties of the user account, execute a PowerShell script to synchronize the changes with an HR application, etc. For more details, see
Active Directory Automation.

Specialized Views of Active Directory Content

It often happens that you need to perform certain operations on Active Directory objects that are
located in different OUs or even in different AD domains and forests. For example, members of one
and the same department can be spread across multiple OUs if you have a geographically based
Active Directory OU structure. To make Active Directory management easier without changing the OU
structure, Adaxes introduces virtual OUs called Business Units. Business Units let you collectively
manage objects regardless of their location in Active Directory. Business Unit membership is determined
by flexible membership criteria that allow including AD objects that match specific search parameters,
objects located under a specific OU, members of AD groups, etc.

Business Units make Active Directory management even more flexible by letting you assign specific
automation rules, enforce enterprise standards and delegate administrative responsibilities over
members of a Business Unit.

Delegation of Active Directory Management

Delegation of administrative tasks to non-administrative level users is yet another challenge in
Active Directory management. Native Active Directory security model involves a very labor-intensive
manual maintenance of multiple Access Control Lists (ACLs) across Active Directory and makes it very
difficult to control what privileges users and groups are granted.

Adaxes makes the delegation of Active Directory management tasks more effective, transparent, and
traceable by providing a role-based access control (RBAC) model. Permissions necessary to perform
a certain set of tasks are grouped in Security Roles (e.g. Help Desk or Account Manager) that are
assigned to users in accordance with their role in the organization. This approach enables
centralized access management across Active Directory, helps you apply the principle of
'least access', allows you to securely and effectively grant and revoke multiple rights for
multiple users and groups. For more details, see
Active Directory Delegation.

Tracking Active Directory Changes

Adaxes provides powerful means for monitoring of Active Directory management activities. Each
operation performed in Active Directory via Adaxes is logged in the Adaxes Service Log. This
allows you to track who made a change, when, from which host, etc. You can also monitor the
activities of a specific AD user or see what operations were performed on a specific AD object.

Security sensitive Active Directory changes can also be monitored through establishing an approval
mechanism. The approval-based workflow implemented in Adaxes gives you additional control over
Active Directory management as it provides the ability to perform critical operations only after
their execution is approved by a higher level official or administrator.

Also, Adaxes can be configured to automatically send email notifications of critical changes
performed in Active Directory thus enabling you to react to suspicious activities once they have
occurred.

Custom Commands for Active Directory Management

Active Directory management very often involves various in-house administrative tasks that require
multiple steps to complete. For example, every time an employee gets promoted, transferred to a
new department, is assigned to a project, goes on a vacation, gets sick, etc, a variety of different
activities must be carried out. Such activities usually include updating properties of the user
account, changing membership in AD groups, enabling/disabling the user, sending e-mail notifications,
etc. Performing all these operations manually could be very time-consuming and error-prone,
especially if non-technical users are involved in the process.

Adaxes enables you to define your own Custom Commands to perform such complex and routine
Active Directory management tasks in a single mouse click.

Scheduled Tasks for Active Directory Management

Adaxes can automatically perform various tasks related to Active Directory management based on a
predefined schedule. The most typical Active Directory management tasks that can be automated with
the help of Scheduled Tasks include:

sending password/account expiration notifications,

deleting inactive user and computer accounts from Active Directory,

automatically maintaining Active Directory group membership,

automatically moving Active Directory objects between OUs,

synchronizing Active Directory with external data sources,

and much more...

If necessary, you can control the execution of Scheduled Tasks via approvals. A task can
be configured to request an approval for each action it executes. Actions that require approval
will not be executed until approved by a person in charge.